Azure Active Directory
Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.
Thank you for joining our community and helping improve Azure AD!
Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account. You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...
-
Utilize AAD Security Groups for Device "Additional Local Administrators" support
Emulating the Intune Roles method with Assignments, Members and Scopes would be ideal. Also the ability to disable Global Admin access (limit to groups/scopes added).
133 votesWe’re currently working on this capability and will provide an update when it’s done.
However, instead of expanding the “Additional Local administrators” setting, we will support adding AAD groups to Windows 10 local groups (.e.g Administrators, Remote Desktop Users) via MDM policy and elevate user privileges on logon. This will provide greater flexibility to assign different groups to different devices
—
Ravi -
"Change password" policy
Add a new Azure AD B2C policy that allows a signed-in user to change his or her password. Not the same as password reset.
133 votesWe are in the process of planning this feature and hope to have a preview available by the end of november. In the meantime, could you please respond to aadb2cpreview@microsoft.com with your responses to the following questions:
- If you had a “password change” policy, what kind of information would you like to get back once the policy has been executed?
- Would you prefer to have a policy that forces you to sign in first, and then asks you to change the password, or one that let’s you do it all on the same page?
- Would you want an email to get sent out to the user whenever the password is changed? -
Support for 3rd party EMM solutions when requiring device compliance
We use Airwatch for managing mobile devices. We want to use conditional access policies to ensure the device has been marked as compliant by Airwatch before allowing access to certain applications.
Currently Azure AD Conditional Access Policies only supports InTune for checking device compliance as described @ https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-policy-connected-applications#trusted-devices. This should be extended to support 3rd party EMM solutions.
132 votesThanks for your feedback. Microsoft is currently working with third party MDM providers to enable this scenario. We will update this thread once we have more information to share.
-
Allow more customization of the myapps.microsoft.com portal.
Would be great if I could forward a subdomain to our myapps.microsoft.com portal. Instead of giving users a the microsoft.com URL, I want to give them one.theblaze.com.
Second, would be great if there was a newsfeed widget at the top of the portal that could show an RSS feed of company news.
130 votesThanks so much for the feedback! Customizations of the My Apps portal for both end users and admins are on our roadmap. This includes providing the ability to re-arrange and group apps and as well as using a customizable domain.
We are also looking to see if we can enable embedding other components like widgets. We’re still in process of validating options for this.
Please keep sharing your feedback and ideas around this! -
AADB2C: How-to on multi-tenant applications based on B2C
As service provider using Azure as the underlying platform, I want to create an application that allows companies to create and manage their tenants and users within my service in order to provide a public service area as well as a privately owned area for the company.
I've read about B2C supporting multi-tenant, but I couldn't find hints within the documentation...
129 votesWe are currently prioritizing Azure AD as and identity provider into B2C. We will review this request after that work is done. Keep the requests coming! /Jose Rojas
-
Restore Azure Active Directory Security groups
Restore Azure Active Directory Security groups
128 votes -
CORS for App Proxy
There should be CORS setting available on App Proxy just like we have the CORS available for App Services.
Making calls from Azure Apps into an Azure App Proxy App is a very common scenario, especially when on-prem applications are surfaced externally using App proxy.
More details - http://stackoverflow.com/questions/43955808/cors-prelight-issue
128 votesWe are looking at enabling a feature that focuses on supporting CORS preflight requests between two applications. This works by allowing you to configure the response and have App Proxy handle it on behalf of the app.
A pre-requisite for this feature to work is that the user must be able to authenticate into the second application in order to avoid a CORS issue from the login flow into the second app.
To avoid this the user will have to make sure they have already accessed the 2nd application before the CORS request, and has valid credentials. This should work for wildcard apps and can also be achieved by adding a fake link / image to the 2nd application in the first application.We would love to get your feedback on this requirement and if this is something that will fit your use case.
-
Allow password expiration policy to sync from on-prem AD to Azure AD
Why doesn't a users cloud password expire when the on-prem password expires? We use an Azure Application Proxy App to securely publish an extranet to many employees and vendors whom never log into our domain directly but have on-prem AD accounts. To ensure they change their passwords regularly, we have to change their on-prem password once it expires so they are forced to use SSPR and create a new password.
124 votesWe are currently investigating how we can best implement this feature.
-
AADB2C: include username in JWT claims
AADB2C supports either email addresses or usernames for accounts. If a directory uses usernames, you don't get that username as a claim in the JWT. This means an extra trip to Azure must be made to retrieve the username. Please consider including the username in the JWT.
124 votesThis is currently not on our roadmap. You can retrieve this value by making a call through the Graph API. If this is needed for your scenarios, please continue voting and we will review at a later date.
-
Set MFA using Azure Active Directory Powershell Module
Add support in Azure Active Directory PowerShell module to set Multi-Factor Authentication (MFA).
Thanks
123 votes -
Go Direct to Password Reset from Sign-In/Sign-Up
The Sign-in only policy allows the user to go directly to the password reset.
The Sign-in/Sign-Up does not allow this. The user gets redirected back and you have to handle AADB2C90118.
While this flow is useful for some people the opposite is also true. Please allow me to specify the password reset policy in my sign-in/sign-up policy so the round trip is not required if I don't want it.
123 votesWe have started working on this feature and hope to have another update by Oct 2018.
/Parakh
-
AD Groups in Application Owners
Would be great to be able to add groups to application owners in AD instead of only users. Scenario is to use on-prem AD synced with Azure to keep management of application roles/groups/etc on-prem for cloud hosted solutions.
Thanks!
123 votes -
Pre-Provision MFA "StrongAuthenticationUserDetails" via PowerShell?
We have over 12,000 users we need to provision for MFA.
I know we can enable MFA via PowerShell, but there doesn't seem to be a way to update the "StrongAuthenticationUserDetails" attribute (Alt. Phone, Email, etc.) programmatically.
This is turning out to be a huge pain for us. Does anyone have a timeline for when we'll be able to do this?
122 votes -
Change tracking for Conditional Access Policies
Support some kind of change tracking or auditing in regards to changes made for Conditional Access Policies?
122 votes -
Get 'low license count' notification
It would be beneficial to get a notification when license count gets to x number. We are syncing our users with DirSync and apply licenses based on group membership. When users get synced and we have no licenses, I have zero idea until someone comes to me that they cannot get logged in to O365.
119 votes -
Add reporting to see how many users have or have not registered for Self Service Password Reset.
Would be helpful so we know who to target to get them registered within our organization
118 votesHi folks! This feature is still in progress and will go to public preview soon. I will update this request once it’s in public preview. I apologize for the delay – we know how important this is!
-
Getting more granular permissions with Graph API and SPO sites
Do we have any plans to allow Azure AD-registered apps accessing Microsoft Graph APIs (such as SharePoint Online) to have more granular permissions? Can we get SharePoint Online (SPO) to enforce more granular authorization rules based on the app identity and some manifest rules to restrict the site collection for example, instead of Sites.Read.All? I am looking for something like this: https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs, but for Azure-AD apps (where we can specify really granular permissions).
This question is around the ability to customize Microsoft Graph APIs such as SharePoint Online APIs to restrict the site collections that can be accessed by…
116 votes -
B2C Roadmap
Deliver a roadmap which shows what functionality is planned and under review.
112 votesHi all, unfortunately we don’t have plans to share out a public roadmap. This is constantly changing as we’re listening to customer requests. We will continue to update feedback.azure items as they come up so feel free to suggest anything you are curious about.
-
Allow User Account Administrator to enable MFA for users, not require global admin
A best practice is to limit the number of global admins, yet a global admin is required to enable MFA for users. This should be allowed in the User Account Administrator role to enable MFA for users.
110 votesWe aren’t planning to add the ability to enable MFA per-user to the Account Administrator, but we do have planned a limited admin role that will be able to perform that function, along with other MFA related settings. If you’ve implemented MFA through Conditional Access policy instead of the per-user enablement, you can use the Conditional Access Policy admin to control who has to do MFA.
-
All Powershell/BASH/script Azure AD join
For converting BOYD to Azure AD in the field w/o user intervention, we need a way for elevated accounts to be able to perform an Azure AD join of devices via script.... come on, this is the basics...
Think of it as MDM self-enrollment... if not that, then give us a one-click way for users to self-enroll the device.
107 votesThanks for the feedback on this. There are several ways to do Azure AD join (OOBE, bulk enrollment and Autopilot) which provide a richer experience to join devices to Azure AD. We’re continuously working to enhance those, so currently this is unplanned for the near future. Please continue to vote to help us prioritize
—
Ravi
- Don't see your idea?